It is now common practice for individuals to obtain financial information from financial institutions using IVR systems. Such systems allow a caller to obtain account balances, last payments, credit lines, etc. simply by calling a phone number, listening to a series of voice prompts that would instruct the caller to enter an account number, followed by a prompt for a PIN. When IVR systems were first introduced the caller would use the key pad on a telephone to enter the desired information. Advances in the Internet now allow users to use data services such as voice (speech) over the Internet (VoIP) systems, to access user's information. Thus it is not uncommon now for a user to obtain financial, medical and other private information over the Internet.
Phishing, and other fraudulent activities on the Internet, allow attackers to set up false systems that emulate an institution's IVR system. By doing so, an attacker can obtain customer's private log-on information (such as user account, name, social security number, PIN, etc.) thereby allowing the attacker to fraudulently obtain private information and even to conduct financial transactions such as withdrawals and transfers of cash from a target's account. Phishing works because the fraudulent attacker masquerades as a trustworthy entity in an electronic communication and the user, believing he/she is dealing with a known institution, provides the sensitive information.
In some situations, some institutions, using web based technology, will provide a distinctive pre-identified logo or icon to the accessing computer user. This icon is typically provided to the user so that the user will know that the user is accessing the known and correct institution. Thus, absence of this pre-identified icon indicates to the user that something is wrong and they may be communicating with a fraudulent attacker. While such technology reduces phishing for web based communication, it does not protect IVR systems.